Understanding Cybersecurity Measures and Metrics for Medical Devices

How do measures and metrics differ, and why is this distinction crucial for FDA submissions?

In this episode, Christian and Trevor demystify the difference between cybersecurity measures and metrics in the context of FDA guidance. They explore what the FDA expects in submissions, emphasizing patch timelines, vulnerability tracking, and post-market data collection. They also discuss the importance of actionability over mere compliance and include real-world challenges like device downtime and risk in different environments.

Key points:

(0:30) Measures vs Metrics Defined

• Measures are raw figures like time or count; metrics are calculated from measures.

(4:06) FDA Guidance and Patch Timelines

• FDA expects metrics like percentage of patched vulnerabilities and two patch-related durations.

(7:49) Real-Time Alerts

• Devices should notify users immediately of anomalies to compensate for lack of SOC monitoring.

(14:01) When to Include Metrics in Submissions

• Metrics aren’t always required during initial submission unless data is available.

(18:07) Downtime, Rebooting, and Risk Profiles

• Reboot times and system recovery durations should be treated as key measures.

• Risk profiles shift based on device use environment.